[resolved]Infected, slew of hyjackers and worms.
edit: Sorry for skipping hello at first.. I supose im in something of a panic to fix my computer. From what i've observed this is becoming a rather fast-growing community. You seem to know what you are doing, so i was hopeing someone could help.
Here's my story:
For a long time I have done just fine at keeping my computer clean, today part of the windows system was infected. I repair-installed windows with no problems. Upon attempting to re-install service pack two cmd.exe was "in use" I'm fully aware that I am infected with Worm.VB.Ymeak.A (B.exe), and i am also aware of a buffer-overun trojan (exploiting port errors and Svchost.exe, FIXED in service pack 2.. which i can no longer install)
The following tools no longer function for me for stated reasons:
Bitdefender: No longer updates virus definitions sucsessfully, will not remove detected threats.
Housecall (trendmicro): Detects threats sucsessfully, crashes browsers before complete.
Spybot S&D: Detecs threats, "removes them", they pop up again later
Ad-aware SE: same as above.
I would greatly appreciate help. I will need asistance using Hyjackthis becuase i have never used it before but i am aware of how often it is needed.
Edit: i Believe i have figured the tool out.
Logfile of HijackThis v1.99.1
Scan saved at 10:48:53 AM, on 12/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\SpSubRx.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vqfpmrlsqffmksbyveu.com/U0ZY_QN/coCxj3yxzrNpJICEDLsuRj5iVRFr_iL0TyPA/A4ToGnV7TZXOMmn0UEn.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: (no name) - {5142541E-5000-04F1-7037-E2B08EE7720E} - C:\DOCUME~1\Ruth\APPLIC~1\PLAYCL~1\GLUE KIND.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnV0aCBDb3g\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
While i wait for a reply i'll attempt to compile as much scan and report data from as many programs as possible. They will be added below
Saturday, December 02, 2006 12:59:01 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/12/2006
Kaspersky Anti-Virus database records: 233469
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 132840
Number of viruses found: 9
Number of infected objects: 15 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:53:04
Infected Object Name / Virus Name / Last Action
C:\data Infected: Trojan-Downloader.Win32.IstBar.nh skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe Infected: Trojan-Dropper.Win32.VB.lu skipped
C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-28e0253d-6a70b414.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Chris\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\dfsr.db Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\fsr.log Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\tmp.edb Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows Live Contacts\iron_potato@juno.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows Live Contacts\iron_potato@juno.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012006120220061203\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFBB82.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFBC76.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFDACF.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFDB51.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFFCFC.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe/stream Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe NSIS: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruth\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Program Files\InstallShield Installation Information\{3D9231F6-A287-4222-9EBC-519BB206F590}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7C32C567-DC0F-4C80-B06C-7873850A2E06}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7D268154-7A31-40F2-9779-7A250914BB39}\setup.ilg Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP0.EXE Infected: Backdoor.Win32.Landis.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP1.EXE Infected: Trojan-Proxy.Win32.Ranky.bp skipped
C:\Program Files\outlook\v.tmp Infected: P2P-Worm.Win32.VB.dw skipped
C:\Program Files\World of Warcraft\Logs\gx.log Object is locked skipped
C:\Program Files\World of Warcraft\Logs\Sound.log Object is locked skipped
C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch\wow-partial-2.MPQ Object is locked skipped
C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch\wow-partial-3.MPQ Object is locked skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000004.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000180.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000535.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0000581.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP8\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\kb824141.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\kb828035.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035_RTM$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035_RTM$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
C:\WINDOWS\$NtUninstallQ328940$\reg00003 Object is locked skipped
C:\WINDOWS\b.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\regedit.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DCDFB8B4-F243-4C1A-AD67-DEBB372EE98E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\cmd.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\ipconfig.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\netstat.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\ping.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\regedt32.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\taskkill.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\taskmgr.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\tracert.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\Αdobe\lsass.exe Infected: Trojan-Downloader.Win32.PurityScan.dr skipped
C:\WINDOWS\Temp\HP000000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP000001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP000002.PDL Object is locked skipped
C:\WINDOWS\Temp\HP000003.PDL Object is locked skipped
C:\WINDOWS\Temp\HP000004.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP001001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001002.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001003.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001004.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001005.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001006.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001007.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001008.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001009.PDL Object is locked skipped
C:\WINDOWS\Temp\HP00100A.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP002001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002002.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002003.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002004.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002005.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002006.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002007.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002008.PDL Object is locked skipped
C:\WINDOWS\Temp\HP004000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP004001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP004002.PDL Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1d10.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_670.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_c5c.dat Object is locked skipped
C:\WINDOWS\Temp\~INS0363.~MP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Update: B.exe was sucsessfully removed by me still need help with the rest
I seem to recall svchost.exe being a needed system file, however I think that is in folder 13B8 or whatever its called, if i remove the one from startup it should not effect my OS correct?
Here's my story:
For a long time I have done just fine at keeping my computer clean, today part of the windows system was infected. I repair-installed windows with no problems. Upon attempting to re-install service pack two cmd.exe was "in use" I'm fully aware that I am infected with Worm.VB.Ymeak.A (B.exe), and i am also aware of a buffer-overun trojan (exploiting port errors and Svchost.exe, FIXED in service pack 2.. which i can no longer install)
The following tools no longer function for me for stated reasons:
Bitdefender: No longer updates virus definitions sucsessfully, will not remove detected threats.
Housecall (trendmicro): Detects threats sucsessfully, crashes browsers before complete.
Spybot S&D: Detecs threats, "removes them", they pop up again later
Ad-aware SE: same as above.
I would greatly appreciate help. I will need asistance using Hyjackthis becuase i have never used it before but i am aware of how often it is needed.
Edit: i Believe i have figured the tool out.
Logfile of HijackThis v1.99.1
Scan saved at 10:48:53 AM, on 12/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\SpSubRx.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vqfpmrlsqffmksbyveu.com/U0ZY_QN/coCxj3yxzrNpJICEDLsuRj5iVRFr_iL0TyPA/A4ToGnV7TZXOMmn0UEn.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: (no name) - {5142541E-5000-04F1-7037-E2B08EE7720E} - C:\DOCUME~1\Ruth\APPLIC~1\PLAYCL~1\GLUE KIND.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnV0aCBDb3g\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
While i wait for a reply i'll attempt to compile as much scan and report data from as many programs as possible. They will be added below
Saturday, December 02, 2006 12:59:01 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/12/2006
Kaspersky Anti-Virus database records: 233469
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 132840
Number of viruses found: 9
Number of infected objects: 15 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:53:04
Infected Object Name / Virus Name / Last Action
C:\data Infected: Trojan-Downloader.Win32.IstBar.nh skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe Infected: Trojan-Dropper.Win32.VB.lu skipped
C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-28e0253d-6a70b414.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\Chris\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\dfsr.db Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\fsr.log Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Messenger\iron_potato@juno.com\SharingMetadata\Working\database_9E60_D835_60D8_163D\tmp.edb Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows Live Contacts\iron_potato@juno.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows Live Contacts\iron_potato@juno.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012006120220061203\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFBB82.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFBC76.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFDACF.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFDB51.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFFCFC.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe/stream Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe NSIS: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruth\Local Settings\Temp\AntiPhishing\FDE76B9D-4657-4B28-AE87-04EFD23D4EB6.dat Object is locked skipped
C:\Program Files\InstallShield Installation Information\{3D9231F6-A287-4222-9EBC-519BB206F590}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7C32C567-DC0F-4C80-B06C-7873850A2E06}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7D268154-7A31-40F2-9779-7A250914BB39}\setup.ilg Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP0.EXE Infected: Backdoor.Win32.Landis.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\Incoming\AP1.EXE Infected: Trojan-Proxy.Win32.Ranky.bp skipped
C:\Program Files\outlook\v.tmp Infected: P2P-Worm.Win32.VB.dw skipped
C:\Program Files\World of Warcraft\Logs\gx.log Object is locked skipped
C:\Program Files\World of Warcraft\Logs\Sound.log Object is locked skipped
C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch\wow-partial-2.MPQ Object is locked skipped
C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch\wow-partial-3.MPQ Object is locked skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000004.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000180.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000535.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0000581.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP8\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\kb824141.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141_RTM$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\kb828035.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035_RTM$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035_RTM$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
C:\WINDOWS\$NtUninstallQ328940$\reg00003 Object is locked skipped
C:\WINDOWS\b.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\regedit.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DCDFB8B4-F243-4C1A-AD67-DEBB372EE98E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\cmd.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\ipconfig.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\netstat.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\ping.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\regedt32.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\taskkill.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\taskmgr.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\tracert.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\Αdobe\lsass.exe Infected: Trojan-Downloader.Win32.PurityScan.dr skipped
C:\WINDOWS\Temp\HP000000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP000001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP000002.PDL Object is locked skipped
C:\WINDOWS\Temp\HP000003.PDL Object is locked skipped
C:\WINDOWS\Temp\HP000004.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP001001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001002.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001003.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001004.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001005.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001006.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001007.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001008.PDL Object is locked skipped
C:\WINDOWS\Temp\HP001009.PDL Object is locked skipped
C:\WINDOWS\Temp\HP00100A.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP002001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002002.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002003.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002004.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002005.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002006.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002007.PDL Object is locked skipped
C:\WINDOWS\Temp\HP002008.PDL Object is locked skipped
C:\WINDOWS\Temp\HP004000.IDX Object is locked skipped
C:\WINDOWS\Temp\HP004001.PDL Object is locked skipped
C:\WINDOWS\Temp\HP004002.PDL Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1d10.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_670.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_c5c.dat Object is locked skipped
C:\WINDOWS\Temp\~INS0363.~MP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Update: B.exe was sucsessfully removed by me still need help with the rest
I seem to recall svchost.exe being a needed system file, however I think that is in folder 13B8 or whatever its called, if i remove the one from startup it should not effect my OS correct?
0
This discussion has been closed.
Comments
There is some work to be done on this computer. Please follow all of my instructions carefully and do not rush through them. If you get stuck, stop and ask.
Please do the following...
I don't see any indication of a Firewall in your HijackThis log. This may be because:
(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.
In the case you don't have a Firewall, please download one from the list below - They are Free!
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
_____________________________
Download the W32.Bropia Removal Tool and save it to your Desktop.
Close ALL open programs and windows
Run the tool and follow the instructios.
_____________________________
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
- First close any other programs you have running as this will require a reboot
- Double click NoLop.exe to run it
- Carefully type or copy and paste this series of characters into the lower text area labelled Insert CLSID Here. Include the {}:
- Now click the button labelled "Search and Destroy"
- When scanning is finished you will be prompted to reboot only if infected, Click OK
- Now click the "REBOOT" Button.
- A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--{5142541E-5000-04F1-7037-E2B08EE7720E}
<<your computer will now be scanned for infected files>>
Also, I would like to see another log from HijackThis.
EDIT: Upon inspection of my internet connection it is using pre-service pack two firewall. That will be fixed in the event we get my computer fixed and SP2 is finaly able to BE installed.
Worm tool being used now. Brb
Running Lop Tool
No need to tell me what step your currently on. Just do the whole thing and report back to me with logs and any problems you may have had.
(LOP removed)
New log:
Logfile of HijackThis v1.99.1
Scan saved at 2:56:16 PM, on 12/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnV0aCBDb3g\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
NOTE: This is without SP2 Yet, i will attempt to install and let you know whether or not i was sucsessfull
I told you this already and I'll say it once more. Please DO NOT do anything on your own, unless I tell you too. Otherwise, it makes it harder to help you.
Please do this...
(about SP2 i missed the part where you said "after we clear up your computer", sorry)
However, i found the log from "nolop" from before if it is of any use to you:
What to do now
2) Post the Uninstall list - instructions are in post #3
3) Post a new HijackThis log
uninstall list
New Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:48:29 PM, on 12/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnV0aCBDb3g\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Please do the following...
Download one anti-virus program from the list below - They are Free!
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition
Do not install it yet. Just save it to your Desktop. I'll tell you when to install it.
_______________________________
You have a LOP infection that often comes together with Messenger Plus. To remove it we will try the simple way first.
1. Go to Add/Remove programs. Double click on "Messenger Plus! 3 & Sponsor!" (or click on Remove) NOTE: If you don't see Messenger Plus, continue to number 6.
2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.
3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.
4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.
5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully one nasty infection is gone.
_______________________________
Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:
MediaTickets by OIN
Spybot - Search & Destroy 1.3 <-- Old version. We will get the latest version later.
Remove these Norton entries
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Norton AntiVirus 2002
Norton WMI Update
Restart your computer and install the new Anti-Virus program.
Post a new Uninstall list and a new HijackThis log.
Media uninstalled
Spybot Removed
Having a small bit of trouble with norton but ill get it done hold on (have to close this window)
new log:
Logfile of HijackThis v1.99.1
Scan saved at 4:33:57 PM, on 12/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnV0aCBDb3g\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
New list
Ill need to be heading to work in about 15min, at which point we can continue in 4 hours when im back home. If you are available, if not this will become a few day project for me and you.
For now, can you answer these question
Norton is still showing in the logs. Did you have problems uninstalling it?
Have you downloaded and installed the new anti-virus program yet?
(will probubly be needing to leave before you post your instructions, we can continue later i hope
I'll post the new instructions for you, so when you have time you can carry on with them.
Scan saved at 4:55:20 PM, on 12/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnV0aCBDb3g\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Aight time for work, thanks for the help today.
Make sure you can view hidden files and folders:
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
__________________________Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.
__________________________
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
__________________________
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {0A81A1B8-CDDE-00A9-260E-F9564A32EAC2} - C:\DOCUME~1\Chris\APPLIC~1\PLAYCL~1\Heart Flaw.exe (file missing)
O2 - BHO: TChkBHO Class - {6985ED8A-053C-4C15-BC46-D7E7DCF9BF05} - C:\WINDOWS\SYSTEM32\llqloq.dll (file missing)
O2 - BHO: (no name) - {C1E6FA5D-3399-4C3C-BF5D-3776143554C9} - C:\WINDOWS\system32\vbzdf.dll
O4 - HKLM\..\Run: [bashfastseekremote] C:\Documents and Settings\All Users\Application Data\Program tick bash fast\mapi find.exe
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [Window Each Setup Eggs] C:\Documents and Settings\All Users\Application Data\multi meta window each\proccreative.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Chris\APPLIC~1\MP3AUDIO\Window open.exe
O4 - Global Startup: svchost.exe
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.bitdefender.com
O15 - Trusted Zone: *.trendmicro.com.au
O15 - Trusted Zone: *.freewebs.com
O15 - Trusted Zone: *.nintendo.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.windowsmedia.com
O20 - Winlogon Notify: sysfrcx - sysfrcx.dll (file missing)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
__________________________
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
__________________________Find and Delete the following in RED, if present
C:\Documents and Settings\Chris\Application Data\PLAYCL~1
C:\Documents and Settings\Chris\Application Data\MP3AUDIO
C:\Documents and Settings\All Users\Application Data\Program tick bash fast
C:\Documents and Settings\All Users\Application Data\multi meta window each
C:\WINDOWS\system32\winhost.exe
C:\WINDOWS\system32\sysfrcx.dl
We need to search and delete the following file:
Click Start > Search > All Files and Folders.
Expand More advanced options and make sure these boxes are checked
Search system folders
Search hidden files and folders
Search subfolders
Paste this into the Search box at the top:
svchost.exe
Do not delete this file from the System32 folder - that is the legit file.
This one should be somewhere in C:\Documents and Settings.... folder
If you are unsure, then make a list of what was found and post it back here.
__________________________
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal ModeIMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
__________________________
1. Download this file to your Desktop - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________________
Please post the following:
1) AVG anti-spyware log
2) ComboFix log
3) New HijackThis log
You may need separate replies so the logs do not get cut off
Spyware Log:
AVG Anti-Spyware - Scan Report
+ Created at: 12:07:04 AM 12/3/2006
+ Scan result:
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP10\A0000815.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IExplorr26.clsDW -> Adware.InetSpeak : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IExplorr26.clsDW\Clsid -> Adware.InetSpeak : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IExplorr26.clsIS -> Adware.InetSpeak : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IExplorr26.clsIS\Clsid -> Adware.InetSpeak : Cleaned with backup (quarantined).
C:\Documents and Settings\Ruth\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Ruth\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Ruth\Start Menu\Programs\WhenU\WhenU Help Desk.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\data -> Downloader.IstBar.nh : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\Αdobe\lsass.exe -> Downloader.PurityScan.dr : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie Joe\Local Settings\Temp\b103.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0000666.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP11\A0000932.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\WINDOWS\browser.exe -> Hijacker.Small : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\foox4wel.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\foox4wel.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Katie Joe\Application Data\Mozilla\Profiles\default\ani865zo.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Katie Joe\Application Data\Mozilla\Profiles\default\ani865zo.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Katie Joe\Application Data\Mozilla\Profiles\default\ani865zo.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Katie Joe\Application Data\Mozilla\Profiles\default\ani865zo.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.17:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.18:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.13:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.14:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.15:C:\Documents and Settings\Ruth\Application Data\Mozilla\Profiles\default\mum1pcnz.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Ruth\Local Settings\Temp\Cookies\ruth@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Ruth\Local Settings\Temp\Cookies\ruth@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\SYSTEM32\winttr.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
Combofix Log
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Chris\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\outlook
C:\Program Files\Common Files\{60D8163D-095F-1033-0917-020816020001}
C:\WINDOWS\UnV0aCBDb3g
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
((((((((((((((((((((((((((((((( Files Created from 2006-11-03 to 2006-12-03 ))))))))))))))))))))))))))))))))))
2006-12-02 21:49 3,968 --a
C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-02 18:45 <DIR> dr-h
C:\$VAULT$.AVG
2006-12-02 16:53 816,672 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-12-02 16:53 4,960 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2006-12-02 16:53 4,224 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2006-12-02 16:53 3,968 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
2006-12-02 16:53 28,416 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-12-02 16:53 18,240 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
2006-12-02 16:53 <DIR> d
C:\Program Files\Grisoft
2006-12-02 16:53 <DIR> d
C:\Documents and Settings\Chris\Application Data\AVG7
2006-12-02 16:53 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-02 16:53 <DIR> d
C:\Documents and Settings\All Users\Application Data\avg7
2006-12-02 15:37 <DIR> d
C:\WINDOWS\SYSTEM32\ZoneLabs
2006-12-02 15:37 <DIR> d
C:\Program Files\Zone Labs
2006-12-02 15:36 <DIR> d
C:\WINDOWS\Internet Logs
2006-12-02 15:07 <DIR> d
C:\FindLop
2006-12-02 14:50 <DIR> d
C:\NoLopBackups
2006-12-02 13:15 <DIR> d
C:\Documents and Settings\Chris\.housecall6.6
2006-12-02 10:02 <DIR> d
C:\Program Files\XoftSpySE
2006-12-02 09:02 593,408 --a
C:\WINDOWS\SYSTEM32\h323msp.dll
2006-12-02 09:02 550,400 --a
C:\WINDOWS\SYSTEM32\rtcdll.dll
2006-12-02 09:02 48,640 --a
C:\WINDOWS\SYSTEM32\browser.dll
2006-12-02 09:02 454,656 --a
C:\WINDOWS\SYSTEM32\ipnathlp.dll
2006-12-02 09:02 36,864 --a
C:\WINDOWS\SYSTEM32\mf3216.dll
2006-12-02 09:01 97,280 --a
C:\WINDOWS\SYSTEM32\txflog.dll
2006-12-02 09:01 64,512 --a
C:\WINDOWS\SYSTEM32\mtxclu.dll
2006-12-02 09:01 442,880 --a
C:\WINDOWS\SYSTEM32\rpcrt4.dll
2006-12-02 09:01 226,816 --a
C:\WINDOWS\SYSTEM32\es.dll
2006-12-02 09:01 214,528 --a
C:\WINDOWS\SYSTEM32\rpcss.dll
2006-12-02 09:01 1,105,408 --a
C:\WINDOWS\SYSTEM32\ole32.dll
2006-12-02 08:55 218,624 --a
C:\WINDOWS\SYSTEM32\srrstr.dll
2006-12-02 08:40 17,408 --a
C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-12-02 08:39 <DIR> d
C:\WINDOWS\LastGood
2006-12-02 08:28 <DIR> d
C:\WINDOWS\Prefetch
2006-12-02 08:19 <DIR> d
C:\WINDOWS\LastGood.Tmp
2006-12-02 08:15 90,624 --a
C:\WINDOWS\SYSTEM32\msoert2.dll
2006-12-02 08:15 9,728 --a
C:\WINDOWS\SYSTEM32\mstinit.exe
2006-12-02 08:15 77,824 --a
C:\WINDOWS\SYSTEM32\isign32.dll
2006-12-02 08:15 73,728 --a
C:\WINDOWS\SYSTEM32\ils.dll
2006-12-02 08:15 70,400 --a
C:\WINDOWS\SYSTEM32\DRIVERS\sr.sys
2006-12-02 08:15 69,632 --a
C:\WINDOWS\SYSTEM32\icwdial.dll
2006-12-02 08:15 65,536 --a
C:\WINDOWS\SYSTEM32\msconf.dll
2006-12-02 08:15 61,952 --a
C:\WINDOWS\SYSTEM32\srclient.dll
2006-12-02 08:15 61,440 --a
C:\WINDOWS\SYSTEM32\icwphbk.dll
2006-12-02 08:15 47,616 --a
C:\WINDOWS\SYSTEM32\inetres.dll
2006-12-02 08:15 40,960 --a
C:\WINDOWS\SYSTEM32\safrslv.dll
2006-12-02 08:15 39,424 --a
C:\WINDOWS\SYSTEM32\safrcdlg.dll
2006-12-02 08:15 361,984 --a
C:\WINDOWS\SYSTEM32\qmgr.dll
2006-12-02 08:15 33,280 --a
C:\WINDOWS\SYSTEM32\racpldlg.dll
2006-12-02 08:15 32,768 --a
C:\WINDOWS\SYSTEM32\mnmsrvc.exe
2006-12-02 08:15 32,384 --a
C:\WINDOWS\SYSTEM32\mnmdd.dll
2006-12-02 08:15 28,672 --a
C:\WINDOWS\SYSTEM32\isrdbg32.dll
2006-12-02 08:15 266,240 --a
C:\WINDOWS\SYSTEM32\inetcfg.dll
2006-12-02 08:15 26,624 --a
C:\WINDOWS\SYSTEM32\safrdm.dll
2006-12-02 08:15 250,368 --a
C:\WINDOWS\SYSTEM32\mstask.dll
2006-12-02 08:15 24,576 --a
C:\WINDOWS\SYSTEM32\nmmkcert.dll
2006-12-02 08:15 228,864 --a
C:\WINDOWS\SYSTEM32\msoeacct.dll
2006-12-02 08:15 158,720 --a
C:\WINDOWS\SYSTEM32\schedsvc.dll
2006-12-02 08:15 155,136 --a
C:\WINDOWS\SYSTEM32\srsvc.dll
2006-12-02 08:14 98,816 --a
C:\WINDOWS\SYSTEM32\clipbrd.exe
2006-12-02 08:14 88,576 --a
C:\WINDOWS\SYSTEM32\tscfgwmi.dll
2006-12-02 08:14 85,504 --a
C:\WINDOWS\SYSTEM32\catsrvps.dll
2006-12-02 08:14 8,704 --a
C:\WINDOWS\SYSTEM32\icaapi.dll
2006-12-02 08:14 73,864 --a
C:\WINDOWS\SYSTEM32\rdpwsx.dll
2006-12-02 08:14 61,952 --a
C:\WINDOWS\SYSTEM32\rdshost.exe
2006-12-02 08:14 6,144 --a
C:\WINDOWS\SYSTEM32\msdtc.exe
2006-12-02 08:14 56,320 --a
C:\WINDOWS\SYSTEM32\remotepg.dll
2006-12-02 08:14 54,784 --a
C:\WINDOWS\SYSTEM32\msdtclog.dll
2006-12-02 08:14 534,016 --a
C:\WINDOWS\SYSTEM32\spider.exe
2006-12-02 08:14 503,296 --a
C:\WINDOWS\SYSTEM32\mstscax.dll
2006-12-02 08:14 41,984 --a
C:\WINDOWS\SYSTEM32\rdpclip.exe
2006-12-02 08:14 40,448 --a
C:\WINDOWS\SYSTEM32\tscupgrd.exe
2006-12-02 08:14 4,096 --a
C:\WINDOWS\SYSTEM32\wuauserv.dll
2006-12-02 08:14 385,536 --a
C:\WINDOWS\SYSTEM32\mstsc.exe
2006-12-02 08:14 339,968 --a
C:\WINDOWS\SYSTEM32\mspaint.exe
2006-12-02 08:14 32,768 --a
C:\WINDOWS\SYSTEM32\cfgbkend.dll
2006-12-02 08:14 20,232 --a
C:\WINDOWS\SYSTEM32\DRIVERS\tdtcp.sys
2006-12-02 08:14 197,632 -ra
C:\WINDOWS\SYSTEM32\termsrv.dll
2006-12-02 08:14 18,432 --a
C:\WINDOWS\SYSTEM32\qprocess.exe
2006-12-02 08:14 179,200 --a
C:\WINDOWS\SYSTEM32\accwiz.exe
2006-12-02 08:14 14,848 --a
C:\WINDOWS\SYSTEM32\rdpsnd.dll
2006-12-02 08:14 134,656 --a
C:\WINDOWS\SYSTEM32\rdchost.dll
2006-12-02 08:14 130,048 --a
C:\WINDOWS\SYSTEM32\sessmgr.exe
2006-12-02 08:14 124,416 --a
C:\WINDOWS\SYSTEM32\sndrec32.exe
2006-12-02 08:14 124,184 --a
C:\WINDOWS\SYSTEM32\wuauclt.exe
2006-12-02 08:14 12,288 --a
C:\WINDOWS\SYSTEM32\rdsaddin.exe
2006-12-02 08:14 116,736 --a
C:\WINDOWS\SYSTEM32\mplay32.exe
2006-12-02 08:14 11,144 --a
C:\WINDOWS\SYSTEM32\DRIVERS\tdpipe.sys
2006-12-02 08:14 1,343,768 --a
C:\WINDOWS\SYSTEM32\wuaueng.dll
2006-12-02 08:13 57,344 --a
C:\WINDOWS\SYSTEM32\licwmi.dll
2006-12-02 08:13 53,248 --a
C:\WINDOWS\SYSTEM32\servdeps.dll
2006-12-02 08:13 50,048 --a
C:\WINDOWS\SYSTEM32\DRIVERS\DMusic.sys
2006-12-02 08:13 181,632 --a
C:\WINDOWS\SYSTEM32\DRIVERS\rdpdr.sys
2006-12-02 08:13 174,592 --a
C:\WINDOWS\SYSTEM32\cmprops.dll
2006-12-02 08:13 16,384 --a
C:\WINDOWS\SYSTEM32\mmfutil.dll
2006-12-02 08:12 55,936 --a
C:\WINDOWS\SYSTEM32\DRIVERS\redbook.sys
2006-12-02 08:10 37,896 --a
C:\WINDOWS\SYSTEM32\DRIVERS\termdd.sys
2006-12-02 08:09 70,656 --a
C:\WINDOWS\SYSTEM32\storprop.dll
2006-12-02 08:09 24,661 --a
C:\WINDOWS\SYSTEM32\spxcoins.dll
2006-12-02 08:09 13,312 --a
C:\WINDOWS\SYSTEM32\irclass.dll
2006-12-02 08:09 10,496 --a
C:\WINDOWS\SYSTEM32\DRIVERS\irenum.sys
2006-11-23 08:05 <DIR> d
C:\Documents and Settings\Chris\WoW-1.12.x-to-2.0.1-enUS-patch
2006-11-21 07:07 <DIR> d
C:\WINDOWS\SYSTEM32\Kaspersky Lab
2006-11-18 13:16 <DIR> d
C:\Program Files\Western Digital Technologies
2006-11-16 19:41 <DIR> d
C:\WINDOWS\SYSTEM32\àdobe
2006-11-16 19:11 <DIR> d
C:\WINDOWS\qrfk
2006-11-16 19:11 <DIR> d
C:\Program Files\Common Files\qrfk
2006-11-16 16:08 0 --a
C:\WINDOWS\SYSTEM32\taskkill.exe
2006-11-12 10:54 <DIR> d
C:\Program Files\Game Cam Lite v1.4
2006-11-12 10:18 <DIR> d
C:\Program Files\Game Cam v1.4
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-03 08:31
d-a
C:\Program Files\Common Files
2006-12-03 08:27
d
C:\Documents and Settings\Chris\Application Data\Xfire
2006-12-02 17:02 12464 --a
C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys
2006-12-02 16:52
d---s---- C:\Documents and Settings\Chris\Application Data\Microsoft
2006-12-02 16:50
d
C:\Program Files\Common Files\Symantec Shared
2006-12-02 16:44
d
C:\Program Files\Symantec
2006-12-02 16:29
d
C:\Program Files\Spybot - Search & Destroy
2006-12-02 16:27
d
C:\Program Files\Norton AntiVirus
2006-12-02 09:03
d
C:\Program Files\NetMeeting
2006-12-02 08:48
d
C:\Program Files\MSN Messenger
2006-12-02 08:39
d--h
C:\Program Files\WindowsUpdate
2006-12-02 08:21
d
C:\Program Files\Windows Media Player
2006-12-02 08:15
d
C:\Program Files\Outlook Express
2006-12-02 08:15
d
C:\Program Files\Movie Maker
2006-12-02 08:15
d
C:\Program Files\Internet Explorer
2006-12-02 08:15
d
C:\Program Files\Common Files\System
2006-12-02 08:14
d
C:\Program Files\Windows NT
2006-12-02 08:14
d
C:\Program Files\MSN
2006-12-02 07:47
d---s---- C:\Program Files\Xfire
2006-12-01 07:12
d
C:\Program Files\World of Warcraft
2006-11-27 07:35
d
C:\Program Files\SpywareBlaster
2006-11-26 21:43
d
C:\Documents and Settings\Chris\Application Data\Skype
2006-11-22 22:46
d
C:\Program Files\Warcraft III
2006-11-22 07:19
d
C:\Program Files\Windows Live Toolbar
2006-11-21 16:45
d
C:\Documents and Settings\Chris\Application Data\Macromedia
2006-11-16 16:37
d--h
C:\Program Files\InstallShield Installation Information
2006-11-16 16:37
d
C:\Program Files\Macromedia
2006-11-08 15:44
d
C:\Program Files\StealthBot
2006-11-05 15:42
d
C:\Documents and Settings\Chris\Application Data\teamspeak2
2006-11-04 08:58 28672 --a
C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2006-10-16 21:25
d
C:\Program Files\WinRAR
2006-10-14 21:31
d
C:\Program Files\BFG
2006-09-15 21:52 91904 --a
C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"PopUpStopperFreeEdition"="\"C:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Logitech Utility"="Logi_MwX.Exe"
"YeppStudioAgent"="C:\\Program Files\\Samsung\\Samsung Media Studio\\SamsungMediaStudioAgent.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"nwiz"="nwiz.exe /install"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,01,00,00,00,80,02,00,00,3a,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\PCHealth Scheduler for Upload Library.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\XoftSpySE.job
Completion time: 06-12-03 8:33:02.04
C:\ComboFix.txt ... 06-12-03 08:33
Hyjack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:40:27 AM, on 12/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {83CBCA29-1EA9-7C78-926D-0E5B270D79FB} - C:\WINDOWS\system32\vbzdf.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Lines O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) BTW are from an ONLINE scanner ;)at least im pretty sure they are..
C:\WINDOWS\qrfk
C:\Program Files\Common Files\qrfk
______________________
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O2 - BHO: (no name) - {83CBCA29-1EA9-7C78-926D-0E5B270D79FB} - C:\WINDOWS\system32\vbzdf.dll (file missing)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
______________________
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement."
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- Java 2 Runtime Environment, SE v1.4.2
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-1_5_0_10s-windowsi586-p.exe to install the newest version.
______________________Post a new HijackThis log, and let me know the answer about the folders
C:\WINDOWS\qrfk
qrfk.dat
wu (no file extension?!?)
C:\Program Files\Common Files\qrfk
qrfkd (folder)
qfrka.lck
qrfkh (no file extension)
qrfkl.lck
qrfkm.lck
qrfkp.lck
Line "fixed"
Java Installed
(Still experiancing the following problems:
- Slow loading windows to user screen
- black screen sometimes upon logout (not on my acount, on other user acounts.)
Just FYI)New Log:
Logfile of HijackThis v1.99.1
Scan saved at 9:18:27 PM, on 12/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?eaa9cb3391864ed381c343b48bd4c511
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?eaa9cb3391864ed381c343b48bd4c511
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\qrfk
C:\Program Files\Common Files\qrfk
The HijackThis log from your account is clean. If you could post HijackThis logs, one at a time, from the other accounts then I will take a look at them.
Currently Svchost.exe is found in:
C:\I386
C:\Windows\Prefetch\SVCHOST.EXE-2D5FBD18.pf (should i worry about this one?)
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819
Please confirm which are safe to delete, I've had one get acsidentaly removed before and it wasn't fun to deal with. I'd rather you tell me which are ok to remove and which aren't.
Also, now msn has a pretty big bug whenever i try to open it, it still opens correctly but i think some file was misplaced when i re-installed windows becuase it claims to be missing a dll file. Let me open it again and copy exactly what it says....
"The procedure entry point CreateInfoWindow could not be located in the dynamic link library MSOERT2.dll"
Logfile from Ruth (acount 2 of 3):
Logfile of HijackThis v1.99.1
Scan saved at 4:07:30 PM, on 12/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\Ruth\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\zgtroiqjyj\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\zgtroiqjyj\csrss.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Ruth\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [taskman] C:\WINDOWS\System32\taskman.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: csrss.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?c8b6bc6a92584f31936605e3a5bf2ee6
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?c8b6bc6a92584f31936605e3a5bf2ee6
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: http://www.battleforums.com
O15 - Trusted Zone: http://www.freewebs.com
O15 - Trusted Zone: http://clanhunter.proboards24.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Delete this file:
C:\Windows\Prefetch\SVCHOST.EXE-2D5FBD18.pf
Go here and download the msoert2.dll file and save it to the C:\WINDOWS\System32\ folder.
http://www.dlldump.com/download-dll-files_new.php/dllfiles/M/msoert2.dll/6.00.2900.2180/download.html
__________________________
Your sister's account is infected by the MSN worm. This may or may not have caused the MSN errors.
The log shows LOP too, but lets deal with the MSN worm first
Please download MsnVirRem.zip
and save it to your desktop. Once in place, right click the zip file, and extract the files to your desktop. DO NOT RUN ANYTHING YET
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.
In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time.
After it disappears, reboot back into normal mode, and post a fresh HijackThis Log when requested.
__________________________
I would like to see another log from HijackThis.
- Run Hijackthis.
- Click on Open the Misc Tools section.
- Next click on Open uninstall manager.
- Press the Save list button.
- Save the file to your desktop, with the default name of uninstall_list
- Copy & Paste the entire contents of that file in your in your next post.
__________________________Please post the following:
1) Uninstall list
2) New HijackThis log
Also this is my mom's acount i am unable to get acsess to my sister's as of yet. I will post a log from it as soon as possible.
Hyjack this log (Ruth again for safety):
Logfile of HijackThis v1.99.1
Scan saved at 7:22:44 AM, on 12/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Ruth\Desktop\Temporary Repair Folder\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\zgtroiqjyj\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\zgtroiqjyj\csrss.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
O4 - HKCU\..\Run: [32web] C:\DOCUME~1\Ruth\APPLIC~1\MP3AUDIO\Window open.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [taskman] C:\WINDOWS\System32\taskman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: csrss.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?c8b6bc6a92584f31936605e3a5bf2ee6
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?c8b6bc6a92584f31936605e3a5bf2ee6
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted Zone: http://www.battleforums.com
O15 - Trusted Zone: http://www.freewebs.com
O15 - Trusted Zone: http://clanhunter.proboards24.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Uinstall Log:
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
AlienGUIse
ArcSoft Funhouse
ArcSoft PhotoImpression
AVG Anti-Spyware 7.5
AVG Free Edition
BroadJump Client Foundation
Dell Solution Center
DivX Player
DivX Pro Codec Adware
Form Fill (Windows Live Toolbar)
HijackThis 1.99.1
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
In A Flash 3
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 10
Juno
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Logitech MouseWare 9.79
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Shockwave Player
MBSS Gravity Wells 2.0
Messenger Plus! Live & Sponsor
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Picture It! Photo 2002
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MSN Music Assistant
Netscape (7.02)
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
OneCare Advisor (Windows Live Toolbar)
Pop-Up Stopper Free Edition
QuickTime
RealPlayer Basic
Rhapsody Player Engine
RollerCoaster Tycoon 2 Triple Thrill Pack
Sabrina
Samsung Media Studio
Samsung Multimedia Studio
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Shockwave
Skype 2.5
Smart Menus (Windows Live Toolbar)
SpywareBlaster v3.5.1
Starcraft
StarCraft X-tra Editor Version 2.5
StarForge
StealthBot v2.2R4 (remove only)
StealthBot v2.4 (remove only)
StealthBot v2.4R3 (remove only)
StealthBot v2.5 (remove only)
StealthBot v2.6 Revision 3 (remove only)
Tabbed Browsing (Windows Live Toolbar)
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
The Sims Unleashed
Theme Manager
UltimateBot
Visual IP InSight(SBC)
ViviCam 3350
WD Diagnostics
WinBolo 1.14
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
World of Warcraft
World of Warcraft Desktop
Xfire (remove only)
ZoneAlarm